ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Youtube Caption Generator

v1.0.0

Get captioned video files ready to post, without touching a single slider. Upload your YouTube video files (MP4, MOV, AVI, WebM, up to 500MB), say something...

0· 18·0 current·0 all-time
by@imo14reifey
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to generate captions and the SKILL.md instructs uploads and calls to a nemo video API (mega-api-prod.nemovideo.ai) which is consistent with that purpose. However the SKILL.md frontmatter lists a local config path (~/.config/nemovideo/) that is not reflected in the registry 'Required config paths: none' — an inconsistency that should be clarified.
Instruction Scope
Runtime instructions stay largely within the captioning workflow (upload files, start session, submit SSE messages, render). Points to note: it instructs automatic anonymous-token acquisition (POST to /api/auth/anonymous-token) and to store session_id and NEMO_TOKEN, instructs not to display raw API responses/tokens, and requires auto-detecting an install path to set an X-Skill-Platform header — auto-detection may require reading agent install paths or environment. These behaviors touch tokens, local config, and environment information beyond simply 'call the caption API'.
Install Mechanism
No install spec or code files — instruction-only skill. Nothing is downloaded or extracted by an installer, which reduces install-time risk.
Credentials
The skill requests a single credential (NEMO_TOKEN) which is proportional to calling a third‑party captioning API. However, the SKILL.md also references a local config path (~/.config/nemovideo/) and asks the agent to auto-generate and persist tokens/session IDs; the registry metadata earlier omitted that config path. Requesting to write/read a local config directory is a broader privilege than just reading a single env var and should be confirmed.
Persistence & Privilege
The skill does not request always:true, has no install hooks, and does not declare modifications to other skills. It does instruct storing a session_id and possibly token state for later calls, which is normal for a session-based cloud service.
What to consider before installing
This skill mostly does what it says (uploads videos to a cloud captioning service), but take these precautions before installing or giving it access: - Verify the backend domain (mega-api-prod.nemovideo.ai) and the skill publisher; confirm you trust that service's privacy policy for uploaded videos. - The skill can auto-create an anonymous NEMO_TOKEN and instructs storing tokens/session IDs; decide whether you prefer to supply your own token or allow automatic anonymous tokens (use a throwaway/ephemeral token if you have concerns). - Clarify the config-path discrepancy: SKILL.md references ~/.config/nemovideo/ but the registry said no config paths — ask the publisher whether the skill will read or write files there. - Avoid uploading sensitive or private footage until you've tested with non-sensitive samples and confirmed where and how long files are retained. - Confirm whether the agent will read install paths or other environment details to set X-Skill-Platform headers; if you prefer, run the skill in a restricted environment or sandbox. If the publisher can explain the config-path mismatch and confirm token storage behavior, the implementation would be more straightforward to trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eeb5zn10c7478vm6mp7hnnh84qb47

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis
EnvNEMO_TOKEN
Primary envNEMO_TOKEN

Comments